Need Not Apply: Hack of Job Seeker Database Hits Workers in 10 States



America’s Joblink Alliance said on Wednesday that a hack of its job seeker application exposed sensitive information on residents of 10 states.

A hack of a web-based application has exposed information on jobseekers in 10 U.S. states, according to an announcement Wednesday by America’s JobLink Alliance.

The organization said that a malicious third party “hacker” exploited a vulnerability in the Americas JobLink (AJL) application on February 20. The breach exposed sensitive information including job seekers’ names, Social Security Numbers, and dates of birth. It is just the latest example of a malicious attack on a third-party application provider. AJL confirmed the breach on March 12 and notified affected job seekers on March 21.

Residents of Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont were all affected by the incident, according to an America’s JobLink, a Kansas-based organization that connects job seekers with employers and has contracts with state departments of labor and employment.

Americas JobLink’s Technical Support group said it is working with law enforcement and conducting a forensic investigation of the incident. The exact number of workers whose information was exposed is not yet known, AJL said.

According to a FAQ published by the company, the attack began with a hacker creating a job seeker account on an America’s JobLink system. Using that account and an apparent application flaw, the hacker gained “unauthorized access to certain personally identifiable information on other job seekers.”

AJL became aware of the compromise on March 12 when it noticed unusual error messages being generated by the AJL application. The company fixed the vulnerability on March 14.

In Vermont, the State Department of Labor was informed that state residents’ information was among those exposed in the breach. The Department briefed Vermont Governor Phil Scott and the Vermont Attorney General’s Office, according to published reports.

The AJL case is just the latest to underscore the risk posed by data breaches via third party hosting and application providers. That’s especially true as more public and private sector organizations turn to cloud-based applications like the AJL platform.

We’ve written about this before – as with the 2015 hack of PNI Media, a Vancouver-based provider of photo printing services. That resulted in customers of CVS, Costco, Rite-Aid and other box stores and pharmacies having their information exposed to hackers. A breach at a benefits provider that counted Google as a customer resulted in the exposure of sensitive information on employees there in May. The third party breach problem has also hit the healthcare sector hard, with attacks on Electronic Health Record (EHR) vendors like Bizmatics, a particularly thorny problem.

As this blog has noted, there’s no easy fix to the third-party provider security problem. Companies need to make security a top priority when selecting third party vendor. That can be difficult if security is just one item (and not a top line item) on a long list of features and capabilities your company is searching for. However, getting an application auditor to review whatever platform or application you’re considering is a good first step.

Still, even that isn’t foolproof. The AJL vulnerability was newly introduced to the platform via a recent update. That means that an earlier audit wouldn’t have turned up a gaping hole – as that hole didn’t exist yet. That’s why it’s important to also take steps to work with providers on security and coordinate response in the event of a breach or other incident can also help.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.